Enterprise Resource Planning (“ERP”) software is a type of software used by many companies to plan and manage various business functions, such as budgeting, accounting, human resources, inventory, customer relationships, and so on. ERP software typically provides access to a database from which users and applications may retrieve information related to the various business functions. Users and application resources typically interact with the database via a plurality of database objects. For example, a table object may provide access to a data table while a form object may provide the code necessary for displaying a form that can be used to access data with a table. As another example, a codeunit may provide logic for manipulating the data and objects associated with the database. In addition to the above-mentioned objects, typical database objects may also include reports, records, menusuites, dataports, and XMLports.
ERP software typically manages access (e.g., read, insert, modify, delete, execute) to the various objects through the use of permissions maintained at the database server. The permissions include direct and indirect user permissions and indirect object permissions. Direct user permissions allow a user to access an object directly. For example, if a user has direct insert permission for a table, the user may be able to input data into the table directly through an interface provided by the table object. Indirect permissions allow a user to access one object via another object (the “parent object”) by executing logic of the parent object. For example, a form object may provide an interface for manipulating table data by interacting with a table object. If a user has permission to execute the form object and both the user and the form object have permission to access the table object indirectly, a request by the form object to access the table object on behalf of the user can be granted.
When a user connects to the database server, typically through a client, the user's permissions may be retrieved from the database server and stored at the client's computer. When a user attempts to access an object, the user's permissions are checked at the client computer and if the user has the necessary permissions, the object is retrieved from the database and executed at the client. In this two-tiered architecture (i.e., fat clients and a server), access to the various objects is generally managed at a client computer using the permissions retrieved from the database server. Managing permissions at the client computer can create security problems for the ERP software as a user may be able to manipulate the permission information locally and obtain access to privileged data maintained at the database server.
The database objects typically operate in an unmanaged environment in which the source code for the objects is compiled into machine language and executed directly by a CPU. A managed environment, in contrast, provides machine-independent code, such as Common Intermediate Language (CIL) code, formerly known as Microsoft Intermediate Language (MSIL) code, that is executed by a virtual machine, such as Microsoft's Common Language Runtime (“CLR”). At runtime, the virtual machine converts the machine-independent code into instructions compatible for execution by the underlying CPU. A virtual machine allows developers to produce code that can be executed within a number of different operating system environments without being recompiled and also provides various services, such as memory management, security, Just-In-Time compilation, and so on.